Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

First time accepted submitter FearTheFez writes "Social Engineering and poor DNS Security lead to a Bitcoin heist worth about $12000. Bitcoin broker Bitinstant was robbed after thieves managed to take over ownership of their domains. While Bitinstant claims that no customers lost any money, without 2 factor authentication all it took was a place of birth and a mothers maiden name to gain access. This looks like poor security from everyone involved."

If a standard currency exchange was robbed for $12,000 we would not even read the story. This is a trivial crime and of little interest. It serves more as a warning rather than as a bank robbery story. I hope that those that are concerned learn from this but if this is the crime of the century in the Bitcoin world then they are doing really well.

Part of the hack was to exploit the unsecure procedures at the DNS registrar to add a new e-mail address for administering the victim's domain.

Any other company at the same registrar could fall victim for this, even a bank! And actually many registrars are this unsecure: not so long ago, it was possible to do similar things with just a faxed request with a (faked) signature. Not even necessary to know birth town and mother maiden name.

So, blaming this on lack of PHP (or other) coding skills of the victim is silly. Blame the insecure DNS registrar.

What would protect a brick and mortar bank against a similar hack would not be its coding skills, but rather its notoriety: a DNS registrar would hesitate if suddenly somebody asked to add a hotmail e-mail address to a well-known bank's registry information, and would try to confirm this by phoning back the bank during business hours before doing such change.

The DNS registrar actually spoke about this incident publicly - it turns out that there was no social engineering, BitInstant just selected dumb security questions/answers when they registered the domain name. It's poor security on BitInstants part, no more or less.

BitInstant just selected dumb security questions/answers when they registered the domain name.

Wait, were the questions dumb, or the answers?

Allowing your clients to select dumb, insecure questions means that you have an optionally secure registration platform, which requires your customers to be competent about security.

To me, this kind of incedent points out the need for a more expensive, higher security registrar, who designs systems which are very hard to subvert. Till now, DNS regstrars have competed on price. This story says that security is important too, especially when control of the domain

Part of the hack was to exploit the unsecure procedures at the DNS registrar to add a new e-mail address for administering the victim's domain.

Any other company at the same registrar could fall victim for this, even a bank! And actually many registrars are this unsecure: not so long ago, it was possible to do similar things with just a faxed request with a (faked) signature. Not even necessary to know birth town and mother maiden name.

We had this at our company last year. Someone hacked into our account at the DNS provider, changed the DNS for the mail of one domain, then used that to request a new password for our Amazon EC2 account, which had two-factor login. They called Amazon, which disabled the two-factor login, after which they could take over the Amazon account. It took us two days to gain full control back over the account, as Amazon was unable to log the out. The DNS provider didn't give any good explanation about how this was

If a standard currency exchange was robbed for $12,000 we would not even read the story. This is a trivial crime and of little interest. It serves more as a warning rather than as a bank robbery story. I hope that those that are concerned learn from this but if this is the crime of the century in the Bitcoin world then they are doing really well.

No, the Bitcoin crime of the century was last year when the same server was hacked twice, to a tune of several hundred thousand dollars, as mentioned in TFA. Bitcoin hacks are becoming more and more common, so it's only a matter of time before that amount is surpassed.

Personally I don't see the point of bitcoins. I don't pay for everything in cash in the real world because it lacks the protections that other payment methods have. I don't see a reason to use a digital equivalent of cash in the online world. Bitcoins' anonymity might be it's biggest strength, but it's also it's biggest weakness.

I pay for everything in cash or debit card, but the card is only for convenience - my salary is wired to the bank account, so to have cash I have to go to an ATM and take it. Also, since I also buy stuff online, I have to have money in my bank account (since I can't pay an online store in cash).

Bitcoin has some problems though. When I pay in cash, I am physically in the store, I can inspect the item etc and if the store does something wrong, I know where it is and can complain to the authorities. Online pur

There's nothing stopping you from conducting a Bitcoin transaction in person, aside from the other party needing to hold and/or be able to receive BTC as well. For the holding part, new solutions providers such as Coinbase [coinbase.com] are starting to focus on merchant gateway style solutions. Progress is being made.

I think you're missing some of the benefits of BTC-based transactions. First, they're rather difficult to forge by virtue of reliance upon math for integrity verification. The same can't be said of cash, and the average man on the street would be hard pressed to discern half decent counterfeit paper currency from the real deal. While this particular example may represent a corner case for some, I happen to know two people who have been defrauded with counterfeit currency.

Second, Internet connected devices are everywhere. It's getting rather hard to find people without basic web access via a smart-ish phone in many areas, and full fledged BTC apps are popping up for those with anything fairly modern in terms of radio handsets. I wouldn't be terribly shocked to find devices that cater to simple apps and BTC transactions popping up in developing areas in the near future either.

With respect to waiting for confirmation, most transactions are verified on the BTC network within one hour. If you're willing to pay a small transaction fee to the network, verification can come more quickly. As a side effect of this state of affairs, you might just gain the benefit of meeting up with your transactional counterpart at a coffee house and having a tasty beverage. I call that an excuse to take a break, and welcome it.

Depending of course upon the physical stage for the transaction, the verification period may indeed be a rote formality, more importantly if you've dealt with the other party to the transaction before and most importantly if you plan on dealing with that party again (which represents the very foundation of "credit" ala reputation in economic systems). Again, it's also easy to drastically accelerate the verification time by paying a small transaction fee to the network for processing it. I'd also encourage y

So you'd have to have a gift card ahead of time to the place you want to go... that sounds practical for every day use.

So I'm on a trip, vacation, whatever. I get a flat tire and need to buy a replacement. I either hopefully purchased a gift card to what happens to be the closest tire shop, or I get to sit an EXTRA HOUR waiting for the transaction to process.

Same with gas, or any other impulse buy or anything needed in a hurry.

Bitcoin's version of confirmation means that the transaction is set in stone. It's virtually impossible to conceive of a way that the transaction could ever be undone under any circumstances.

When you use your debit card at the store, this is not what you're doing or getting.

If you just want to know that someone had funds available, and has sent them to you, then you will find that out in a couple of seconds.. It's still theoretically possible (but pretty darn difficult) they they could also spend those fund

The Bitcoin protocol has support for dispute mediation in it (actually, 2-of-3 signing for coins). Unfortunately the surrounding ecosystem does not exist... the features aren't exposed via GUIs and there are no dispute mediators who support it. But probably it will come in future. Right now there doesn't seem to be much demand, many sellers have been able to build a trustworthy reputation.

It's a very volatile market that has no regulation. Or, to put it another way, it's a completely unregulated online casino. If you can't see the market for this, you haven't been paying attention for the last few years...

If you are talking about credit cards, that is completely different. You still have to pay of your credit card somehow.

If you are talking about something linked to a bank account (e.g. like a debit card), then it is similar to paying with bitcoin.

The difference is not in how you pay but how the money is stored. If your money is stored in a US bank account, it can be taken easily be seized by anyone with enough authority. The US government freezes people's bank accounts regularly. If you bury US dollars

Personally I don't see the point of bitcoins. I don't pay for everything in cash in the real world because it lacks the protections that other payment methods have.

But the problems are symmetrical. If you're an American, you're using a different digital currency (USD) that lacks the cryptographic and non-inflationary benefits of Bitcoin. But, over time many groups of people have created systems to allow you to use that currency in a more safe manner than storing large anonymous bits of it yourself. For

That's because you are not a merchant. Credit card fraud is 3% of all credit card transactions, and usually it is the merchant who loses. Credit card processing for legitimate transactions is another couple of percent in fees. A low fee solution with no possibility of charge backs is very attractive relative to this.

Please bear in mind that one of the more interesting aspects of this story is the fact that there is no standard set of currency exchanges for BTC. In fact, it's rather trivial to set one up. For well recognized exchanges, there are various actors in the market, each with varying codebases driving their infrastructure.

This is a fairly direct example of one of the strengths of Bitcoin as a currency, and speaks volumes to the advantages that can be gained by network users who utilize as many distributed excha

Yes, you could do that, and in fact they did. However it doesn't really help because there's no supporting infrastructure for people to download lists of tainted outputs and trigger alerts when a transaction rooted on that output shows up in your wallet, and if there was, it isn't clear what you would do about it, and even if it was, it isn't clear how you'd stop people gaming the system by claiming coins as stolen when they actually were not. But it's technically feasible.

The individual accounts are numbered, in fact the number is the public part of a public-private key pair. An account has a balance which is the sum of all past incoming and outgoing transaction amounts. The amounts are in units called "bitcoins", which are recorded to 8 decimal places. Thus my account is currently 8.51336124 BTC. A transaction is a message signed with your private key (that's how you prove you have the right to make a transaction) giving the number of units to send, and the destination

I've heard a few people with bitcoins complaining about how they can't do anything with them and they're locked in. Apparently there's an online store that catalogs all the stuff you can buy all over the place, with bitcoins . . . and it looked to me like the kind of shitty collection of stuff you'd expect at a flea market. High priced low-end windows laptops and speaker wire and shampoo and shit.

One way of doing it is to use somebody else's info for password reset so you can remember what you entered. Maybe you pick John Kennedy. You'd enter Kennedy's mother's maiden name, Kennedy's dog's name, etc. That way anyone impersonating you by entering your data doesn't get in, but you don't have to remember nonsense answers.

bitcoin is in much more aspects like gold, than you would initially expect.

How would you "disable" stolen gold bars? Theoretically there are ways to mark gold using rare gold isotopes, so that even smelting will not destroy the signature. But this is not practical - it would require isotope detector at every place that trades even smallest amounts of gold.

With bitcoin it is similar. In fact all bitcoins are already marked separately, and can be precisely tracked, but tracking only stolen ones (even if w

The problem is that can transactions can happen faster than the information that fraud occurred. If the coins are marked hot after the thieves already traded them, then the merchants they traded with are out of luck. This would cause merchants in general to be wary of accepting bitcoins, and bring up all the same problems we have with credit cards and other financial instruments today.

Do people really use this stuff in place of real money? I'll keep my real cash thanks... And as the world's currencies (particularly the dollar) are being intentionally devalued, I'll hang on to my precious metals.

Yes we do. And how are "dollars", which mostly exist as database entries, backed by securities which *also* exist as database entries, any more "real"?

The bitcoin network consists of people willing to trade goods and services, and an account database that tracks balances. The database is designed to be very secure, so people are comfortable trading an item now for a balance, with the expectation they can later trade that balance for something else they want. The database itself isn't what gives the balan

I got pizza delivered to the house the other night. It cost me 0.82 bitcoins. Pizza Hut got it there in about 35 minutes.

Of course, Pizza Hut doesn't support using bitcoins directly, but there is a proxy to make it happen... pizzaforcoins.com

Incidentally, the first well documented purchase of anything real using bitcoins was also purchasing pizza (years ago).. The purchaser spent 10,000 BTC to have 2 pizzas delivered. Later after the price of Bitcoin had shot way up, a journalist asked him if he regretted

"With control of the DNS, the bad guys also had control over Bitinstant’s email. They then did an online password reset at a Bitcoin exchange called VirWox and started emptying Bitinstant’s account. The total haul: $12,480"

does that mean you use the exchange to store your keys, which are associated to some set of transactions, and the bad people got the keys that enabled them to grab the loot in terms of using some chain of hashing or what? so what w

This is perhaps arguable in the case of VirWox, the exchange used to move the money out of the account. According to the article, VirWox has offered two factor authentication since September of last year. The fact that BitInstant didn't use it allowed the attackers to succeed with the heist. I say arguable because two factor authentication should probably be mandatory for anything that involves monetary transactions.

Two factor authentication is useless in its current state. The whole question/answer is pointless and only used by banks and other sites to meet buzz word "two factor authentication". The only protection this offers is against a site wide attack against a large set of user accounts at once. But it is absolutely no trouble at all to gather the simple information needed to answer all the typical questions asked in two factor authentication.

In response, some users will put in false answers to the questions ask

I just wanted to add that this test solution I made only works under firefox. Both Chrome and IE fail because they do not provide a safe mechanism for storing login credentials. They also do not provide a strong encrypted and private way of transferring login credentials between various PCs and other devices. Only firefox is strong enough to store your login credentials without potential comprimise. Chrome and IE (and Safari, etc) are weak browsers that should not be used for things like login into banks, f

266 bitcoins? Wow, that would cost at least 12,000 dollars to replace them.

It really doesnt matter how many bitcoins it is or is not. The important aspect is how much value they retain. At the moment it would take a fair amount of money to replace it. Thats like saying: believe it or not, thats only 8 oz of gold. But the quantity means nothing until you try to sell or buy it. So in fact its the dollar value and not the quantity of goods that is significant.

My point of posting that was to show how much bitcoins are worth. Of course the "important aspect" is how much value they retain, how do you think I came up with 266 BTC?! And of course BTC value is on the rise, with bitcoins being harder to mine everyday, with that 21,000,000 bitcoins upward limit. If it were " 26.6 trillion deca-nano" bitcoins stolen, I'd say that right?! But no, I said 266 with the presumed decimal point after the second "6", that everyone else seemed to understand. I also said "approxim

I do not think that any court or official government body recognizes your television as being a legitimate currency but I can be prosecuted for stealing it. If it has value to the owner, it can be stolen.

bitcoins aren't data per se. A person's private key for their bitcoin wallet that is used to transfer ownership of bitcoins is data. It's just a long number. The proof of work used to establish a bitcoin is data. The transaction history of each bitcoin is data.

A bitcoin is more than just the data underlying it. There are may thousands of copies of each bitcoin, but at any given time only one person has the authority to transfer a bitcoin to someone else.

A bitcoin itself cannot be copied. To copy a bitcoin would mean copying it's ability to be spent (allowing it to be spent twice). This would ruin any currency. And much of the design of bitcoin is prevention of double spending.

This is similar to how xeroxing your bank statement doesn't double the amount of money you have in the bank.

No, Bitcoins aren't data, they are imaginary. What was stolen were the secret keys (data) that allow you to spent the Bitcoins. Or you could say that the ownership certificate was changed without the permission of the previous owner.

Maybe it's a bit like if I "steal" your car by convincing the world that it is legitimately mine? Or like if I convince our circle of friends that your imaginary friend hates you now and spends all his time with me so when you tell stories about your adventures with him nobody b

You can absolutely steal data. If you steal someone's debit card and buy a bunch of stuff with it, you have stolen data that allowed you to gain access to their bank account. Someone else ends up losing the stolen dollars you used.

You can't steal language because nobody is trying to keep language a secret. It's public domain. It doesn't belong to anyone.

If someone steals your car in the night, you find no car in your driveway in the morning. If someone steals your television, you have nothing to watch this evening. If someone steals anything, the stolen item is no longer in your possession: that's what stealing is.

If someone discovers your bitcoin wallet private key, your bitcoins will now be stolen and are no longer available to you.

yes you still have your bitcoin wallet private key, but now it's useless because there are no more bitcoins that can be transferred with that private key. I am not saying *all* data can be stolen. I am saying that bitcoin wallet private keys are special in that they behave like real property. They really do stop working correctly once someone else knows them, just like how your car do

It is not the data that is being stolen. Data is just bits and bytes, kilobytes etc. of ones and zeroes.

What APPEARS AS being stolen is the information encoded within the data.What is actually happening is UNAUTHORIZED ACCESS. Possibly unauthorized dissemination of information, revealing of trade and other secrets etc. IF the information is relayed to a third party.

It helps if you think of it as a case of early 20th century spying.A spy intercepts and reads an enciphered radio transmission - he has the data but no information. Information gets to its intended recipient, clearly not stolen.

A spy deciphers the transmission - he has access to what he was actually after. The information.Information still gets to its intended recipient, still not stolen, BUT - the spy above has also had access to information.

So far, all that the spy is guilty of is unauthorized access.If and when he delivers the information to the third party, then he is guilty of various other things. None of them being stealing.

You can absolutely steal data. If you steal someone's debit card and buy a bunch of stuff with it, you have stolen data that allowed you to gain access to their bank account. Someone else ends up losing the stolen dollars you used.

That is not stealing data.That is stealing a physical object, a debit card, THEN using it without authorization to gain access to the bank account, THEN stealing the money from the account.No data was stolen. No, not even when the money was stolen in the end.Data on the card was USED to access the bank account but it was not stolen - the CARD was stolen. And the money.

Same way you are not stealing the position of the teeth on a key used to open a safe - you are stealing a key.

Now, making a copy of the card or key - that's unauthorized copying OR just making a copy.When you bring a "borrowed" key to a key copying store, the employee is not copying a key without authorization. He is just making a copy.YOU are doing the unauthorized copying, but only if there is a specific rule prohibiting access to that key or making copies of it.

Same with the card.Making a copy is unauthorized copying, accessing the account is unauthorized access, stealing money is stealing - but the card or the data were not stolen.Money was.

If you are going to take things that literally, I would say that buying things with a stolen debit card number is not even stealing. There is no physical money exchanging hands at all. It's all just bits on a server somewhere being manipulated.

*) Virtual items have value in virtual of the effort and time invested in obtaining them*) The value in Virtual items is recognised by those that play the game (including the defendents who went to the trouble to take them)*) The Virtual items were under the exclusive control of the player – who was relieved of this control

The court made reference to cases of electricity theft which is a similar intangible good but certainly has properties of power and control, and consequently can be stolen.

I think the court got it wrong, The value inherent in virtual goods is in the price that people are willing to pay for them or would be willing were they on the market. Supply and demand dictates value.

The same can be said for any tangible good, from cars, food, baseball cards and the computer device you're touching right now, to oil, gold, and money itself. The value of a thing is exactly equal to the price someone is willing to pay you for it.

No precedence required. You cant steal data that does not belong to you. Almost all photographs are completely digital now... you think that somehow there is no ownership because they lack the physical quality of pictures from the past? And accessing a website using fake credentials to access someone elses account is illegal in most countries and further it specifically breaks the user agreement for site usage. This was obviously a crime and there is no need to prove whether bitcoins have dollar value or no